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This paper reports security problems with improper implementations of an im- 
■ proved version of FEA-M (fast encryption algorithm for multimedia). It is found 

that an implementation-dependent differential chosen-plaintext attack or its chosen- 
^ ' ciphertext counterpart can reveal the secret key of the cryptosystem, if the involved 

(pseudo-)random process can be tampered (for example, through a public time 
service). The implementation-dependent differential attack is very efficient in com- 
plexity and needs only 0(n 2 ) chosen plaintext or ciphertext bits. In addition, this 
' paper also points out a minor security problem with the selection of the session 

key. In real implementations of the cryptosystem, these security problems should 
be carefully avoided, or the cryptosystem has to be further enhanced to work under 
' such weak implementations. 

in '■ 
o ■ 

Key words: multimedia encryption, FEA-M, insecure implementation, differential 
O ■ attack, chosen-plaintext attack, chosen-ciphertext attack, pseudo-random process 



X 



1 Introduction 



Multimedia data play important roles in today's digital world. In many multi- 
media applications, such as pay-TV services, commercial video conferences and 
medical imaging systems, fast and secure encryption methods are required to 
protect the multimedia contents against malicious attackers. In recent years, 
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many different multimedia encr yption schemes have been proposed t o ful- 
fill such an in creas ing demand (fuhl and Pommer . 20051 : Furht et al. . 2004 : 
Li et allliool . In (|Yi et all . l200lF 7 a new fast encryption algorithm for mul- 
timedia (FEA-M) was proposed, which bases the security on the complexity of 
solving nonlinear Boolean equations. Later FEA- M was employed to construct 



a key agreement protocol by the same authors i n (lYi et al. . 2002). Sinc e then, 



some attacks of FEA-M have been reported dMihalieyic and Kohnol 20021: 
Mihalievicl . 1200.4 IWu et all 1200.4 lYoussef and Tavaresl . 1200.4 . most of which 
can break the key with a smaller complexi t y than the simple brute force attack 
fjMihalievic and Kohnol . 120021 iMihalievid . [200.4 IWu et all 1200.4 . and one of 
which can completely break the whole cryptosystem with only one known and 
two chosen plaintext blocks ( Youssef and Tavaresl . 2004 . 



To enhance the security and to avoid some other defects, an improved ver- 
sion of FEA-M was proposed in (|Mihalievicll2004 . This paper reports some 
security problems with improper implementations of the cryptosystem. We 
point out that the secret key of the cryptosystem can be revealed by an 
implementation-dependent differential attack if the involved (pseudo-) random 
process can be tampered. One of such situations is when the pseudo-random 
process is uniquely controlled by an external source (such as a public time 
service), though it appears that such an implementation would not compro- 
mise the security of the cryptosystem itself. The proposed differential attack 
is very efficient, since only two pairs of chosen plaintext blocks are needed 
to completely reveal the key. As a result, in a real implementation of the 
cryptosystem, it should be ensured that the embedded pseudo-random pro- 
cess cannot be controlled by illegal users. Or, the improved FEA-M has to be 
further enhanced to resist this implementation-dependent attack. In addition, 
a minor problem with the selection of the session key is also discussed in this 
paper. 



2 Improved FEA-M 



The orig inal FEA-M (|Yi et allEoOlh is a block cipher with both plaintext and 
ciphertext feedback. It encrypts the plaintext in the form of n x n Boolean 
matrices, by an n x n Boolean key matrix. The elements of the matrices are 
either or 1 and all matrix operations are made over GF(2), i.e., modulo 2. 
As a result, the ciphertext is also in the form of n x n Boolean matrices. 



Previous works have shown that the original FEA-M has the following de- 
fects: 1) the key can be easily broken by a n adaptive chosen- plaintext at- 
tack proposed in ( Youssef and Tavaresl . 2004 : 2) an efficient known-plaintext 
attack can break it wi t h a complexity smaller than the brute force attack 
fjMihalievic and Kohnol . l2002t iMihalievicl . 1200.4 IWu et alll20ol : 3) it is sen- 
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sitive to packet loss ( Mihalievic . 2003) and channel errors due to the use of 
plaintext feedback. 



To overcome the abo ve-me ntioned security defects, iMihalievid proposed an 
improved FEA-M in 20031 The improved scheme contains two stages: key 
distribution and working stage. The first stage generates two n x n secret 
Boolean matrices, a session key K and an initial matrix V, generally from a 
master key K , which is also an n x n Boolean matrix and known by both 
the send er and the rece iver. The key distribution protocol is actually the one 
used in ( Yi et al. . 2002j ) and can be described as follows. 



The sender selects K and V via a (pseudo-)random process, and computes 



K 

V* 



K K K 

K VK , 



(1) 
(2) 



then sends (K*, V*) to the receiver. 

The receiver recovers K 1 and V by computing 



K 



V = K 1 V*K 1 . 



(3) 
(4) 



After the key distribution stage, the sender and the receiver sides can start 
the encryption/decryption procedure with the session key K and the initial 
matrix V. Denoting the i-ih n x n plain-matrix by Pi and the i-th n x n 
cipher-matrix by Cj, the encryption procedure is as follows: 



d = K (Pi + KVK' 1 ) K n+l + KVK 
and the decryption procedure is 



(5) 



Pi = K 1 (d + KVK 1 ) K- {n+i) + KVK 1 . (6) 

The above procedure repeats for each plain/cipher- matrix until the plain- 
text /ciphertext exhausts. 



3 Implementation-Dependent Differential Attack 



In this section, we describe an implementation-dependent differential attack 
of the improved FEA-M. This attack works under the conditions that one can 
tamper the involved (pseudo-)random process of the improved FEA-M to use 
the same K and V in two separate encryption sessions. 
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Given two plain-matrices, P/ 1 ^ and P/ 2 \ and their corresponding cipher- 
matrices, C- 1 ^ and Cf\ we can get Eq. (7). 

Cf ) + cf ) = (K (p/ 1} + KFff) K n+i + KVK 1 ) 

+ (k (p/ 2) + kvit) + Kyx'J 

= K (P/ X) + KyK'J K n+i + K (p/ 2) + KVK*) K n+i (7) 
= K(P/ 1} +p/ 2) )K n+i 

Apparently, Eq. (7) means a simple relation between AC = C} 1 ^ + Cf^ - 
Cf ) - CP and AP = jf> + 
ciphertext differentials (sums): 



C, (1) - Cf ) and AP = P/ 1} + P/ 2) = P/ 1} - P/ 2) , i.e., the plaintext and the 



n+i 



AC, = K (AP) ft 

As a result, for two consecutive plaintext-matrices, if we choose Ap + i = AP, 
we can immediately deduce: 

AC l+1 = K(AP l+1 )K n +* 
= K (AP) K n+i 

= AC t K. (9) 
Thus, if AC, is invertible, the session key can be derived easily as follows: 

K=(AC i y 1 AC i+1 . (10) 

To make AC, invertible, one should choose Ap to be an invertible matrix 
over GF(2), where note that K is always invertible following the design of 
the cryptosystem. 

After K is broken, one can substitute it into Eq. (5) to get a linear equation 
with n 2 unknown variables, i.e., the n 2 elements of the initial matrix V: 

VK n+i + R -ly = R 2 ^j, _ K p. K n+i^ R -i ^ 

By solving this linear equation, it is easy to recover V. Actually, we can further 
reduce the linear equation to directly deduce V. Choosing two continuous 
plaintext matrices p, Pj and adding the two linear systems, one has 

VK n+i + K j-i^ = R 2 ^ _ K p. K n+i^ K i 

+ K 2 (Cj - KPjK n+j ) K j . (12) 
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When J + 1 is invertible, V can be immediately solved by multiplying 
the right side by (I + K^ 1 )' 1 K^ n+ ^ at the end. Note that K n+i + K n+j 
may never be invertible over GF(2) (for example, when K = I), though the 
probability is relatively small when n is relatively high. Once such an event 
occurs, one can turn to solve Eq. (11). If V can still not be solved from Eq. 
(11), one has to carry out the attack with some other different values of K 
until V can be uniquely solved. 

On ce K and V are both know n, one can use the method proposed in Sec. Ill 
of ( Youssef and Tavaresl . 20031 ) to recover the master key K . 



To carry out a successful attack, in most cases, the attacker only needs to 
choose two plaintexts with four chosen plaintext matrices, P- , i^+i> Pi an d 
P£\, which satisfy PjQ - P%\ = - P/ 2) = AP and AP is an invertible 
matrix. Considering each matrix is a n x n Boolean ma trix, 4n 2 chosen plain - 
bits are required in total. When n = 64, as suggested in ( Yi et al. . 2001 . 20021 ). 



only 2048 plain-bytes are needed. In addition, the complexity of the proposed 
attack is very small, actual ly it is of the same order as the one proposed in 
( Youssef and Tavaresl . 2003). In the case that V can not be solved with four 



chosen plaintext matrices, more plaintext matrices have to be chosen, but the 
number of chosen plaintext bits is still of the same order - 0(n 2 ). 

Next, let us see in which improper implementations an attacker can manage to 
tamper the involved (pseudo-) random process to activate the above differential 
attack. Apparently, the above attack requires two encryption sessions with the 
same session key K and the same initial matrix V, one for encrypting the first 
plaintext {• • • , P^\ P/+i} and the other for encrypting the second plaintext 

{• • • , P} , P/+i}- However, in each encryption session, K and V have to be 
reset at the sender side via a (pseudo-)random process and distributed to 
the receiver side via the key distribution protocol. As a result, generally two 
different sessions use different K and V . However, in real world the encryption 
scheme may be improperly implemented such that the attacker can tamper the 
(pseudo-)random process. As a typical example, let us assume that the process 
is uniquely determined by the system clock 1 . In chosen-plaintext attacks, 
the attacker has a temporary access to the encryption machine, so he can 
intentionally alter the system clock to control the (pseudo-)random process 
before running each session to get the same K and V for two separate sessions. 
In addition, if the improved FEA-M is implemented in such an insecure way 



1 In (|Yi et ail . l200ll . Eool iMihalievil hooi ) . it is not mentioned how to realize the 



random process. One of the simplest (though maybe less frequently-used) method 
to realize a pseudo-random process is to initialize the seed of the pseudo-random 
number generator using the current time stamp. A list of some other more compli- 
cated ways can be found i n Section "The Collection of Data Used to Create a Seed 
for Random Number" of ^Microsoft Corporation! . 
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that the second stage can restart without running the key distribution stage, 
the attack becomes straightforward. 



At last, it deserves mentioned that the above differential chosen-plaintext at- 
tack can be easily to generalize to a differential chosen-ciphertext attack, pro- 
vided that the (pseudo-)random process at the decryption machine can be 
tampered. Rewrite Eq. (8) into the following form: 

AP i = K- 1 (AC i )K-( n+4 >. (13) 
Then, by choosing ACj+i = AC,, one has 

AP i+1 = K 1 (AC i+ i) 

= K 1 (AC,) R-^- 1 

= AP l K\ (14) 
Other steps are identical with the above differential chosen-plaintext attack. 



4 A Minor Problem with Selection of Session Key 



It is noticed that K cannot be selected at random from all invertible ma- 
trices over GF(2). Since all n x n invertible matrices form a general l inear 
group GL(n,2), whose order is O = Ui=o(^ n ~ 2 (|Wikipedial . l2005h . So, 



denoting the order of K over GL(n, 2) by o(K), it is true that o(K) \ O, 
j^o(K) _ j w \ ieie j j s fag identity Boolean matrix ( Gilbert and Gilbert . 
It is obvious that o(K) actually corresponds to the periodicity of the 



2005h . 



encrypt ion/ decrypt ion function with respect to the plaintext /ciphertext index 
i. Generally speaking, the periodicity should not be too small to maintain an 
acceptable security level. As an extreme example, when K = I, o(K) = 1 
and the encryption procedure becomes Cj = Pi (the cipher vanishes). Thus, 
K should be selected randomly from all invertible Boolean matrices with suf- 
ficiently large orders, which means a significant reduction of the session key 
space. 



5 Conclusions 



This paper reports an implementation-dependent differential attack of an 
i mproved fast en cryption algorithm for multimedia (FEA-M) proposed in 
(Mi halievic . 2003j ). The attack works under the condition where the involved 
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(pseudo-)random process can be tampered by the attacker. In this case, the 
attack can reveal the key with four or more chosen plaintext /ciphertext matri- 
ces, i.e., 4n 2 chosen plain/ciphertext bits, in two or more separate encryption 
sessions. The result shows that a secure cryptosystem may become to tally inse- 
cure with seemingly-harmless implementation details in real world (JSchneier, 
2000). In addition, a minor problem with the selection of the session key is 



also discussed in this paper. 
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